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Abstract 

pubHc hey. .»d » certificate of the signer on the p-Me key. Of « ~— 

HW signature issuing protocol h> which the receiver can blind the _ pubHc hey and the certificate hut 

not a certain predicate of the secret key. 

This P a P « describes the first genera,* a PP Hcah.e technic for dining efficient such issuing protocol 
based on the recently introduced notion of seeret-hey certified The resulting three-rrtove issuing protocol 
r«,u.re the receiver to p^cn, -+ a sing.e on-line munition, and the property of restrictive blinding 
can be proved with respect to a plans** intractabili* option. Application of the new issuing protocol 

blind signature technique developed by Chaum. 
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l Introduction . , . . 

ing of a secret key, a matching pubfic *, and a certinca* of the « ^ 
4, in such a way that (!) the public key and the certificate can b. 
reiver, wh^eaa (2) a certain non-trivial -bunding— f predrcate of ^ 
Ly cannot. Thin notion was introduced in M for the case that the create . a 
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protocols. . . .- fi „ tes ^ introduced. These certificates 

Rpcentlv {31 the notion of secret-key certiftcates was 

Kecentxy pj ui k ^ - m muc h the same way as can 

ran be used for secure management of cryptographic keys in m 
^ r n^ficates As a consequence it makes sense to issue secret-key certfficates 

designing such issuing protocols for the new type of certinca 
that we arc concerned with in this paper. 

Tke main result «f » paP« » » — •« — *«. 
sc-eo.es into restrleUve bbnd signature schemes. Tbe new teebmoue can be appbed to 
»y signature sebeme of.be scried Fiat-Sbamir type, if only it can be tun.ed.nto an 

ZZ bond (- «-* * «— W> * ^ . a C t 

:X7ne doe J Otamoto and Obta [19]. No su* goner* appUcaUe teebn.** ,s 

known for public-key certificates. 

Tbe advantage* of the uniting issoing protocol over .be restrictive blind signature 
J£ pro J in N - .breefold: eacb o, .be new protocol* quires .be rec^r to 
perform only a *» on-Une multipbcation (aU other computations can be performed 
M as opposed - several bended in (ft fcsuing protocol can be d^gnrf « 
can be used in exjunction with showing protocols W — — - 
assmnpUon, intend of the D-eto log assumption; and it can ngoro^ b^ 
that a single receive, crmnot blind Ore blinding-invars, predrcate of tbe secret fay, 
oriy a plaadbl. WxacfcbOHy assumption-no end. proof . known for .be 
scheme in [!]• 

The new technique has a direct bearing on the design of efficient 
danisms for signature transport; for details, the reader is referred to 4] and ft 
Since none of the new issuing protocols is a blind signature issuing protocol as denned 
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* Chaum in [8] and his later work, this radically falsifies the popular belief that 
efficient privacy-protecting off-line electronic cash systems must be based on withdrawal 
protocols that are blind signature issuing protocols. 

This paper is organized as follows. In Sect. 2 background information needed to 
understand the subsequent exposition is provided. In Sect. 3 the general technique or 
restrictive blinding of secret-key certificates is explained on the basis of a particular 
signature scheme. In Sect. 4 the difference between restrictive blinding of secret-key 
creates and tixe blinding technique of Chaum is discussed. Finally, references are 
provided in Sect. 5 to articles that explain how to apply the new technique to pnvacy- 
protecting signature transporting mechanisms. 

2. Background , 
A eunnnary is Plowed ■» «• «*" <* ^ baiC " m<ier f "f* * 

these notions is an ***** in or*. «. understmtd the maienal 

Because in tee next section the technic for designing restr.ct.ve hhnd 
certificate Issuing protocol* will he explained fox explicitness in tenns of the Gndlon- 
Cluster signature sehetne (17), this particubrr scheme will setve throughout *. 
section to illustrate the basic notions. 

2 1 Digital Signatures 

to a digital signature scheme, the objects of interest nre pah* oousistmg of a 

items (161. Fleet, a verifieaUon algorithm that determines what exactly const*.*. 
«, ^signature en a mese^e. This algorithm nruaBy is determinhtic and can hence 
bTrepres^ed in terms of an quality relation. Secondly, a key gene.at.on dgontta 
Itgeuerat.aVeypnirforthealgn^. And thimly, a signature scheme that specaEe, 

an isaums P™<»»>l ° etwee ° "* 816161 * ieC61Ver ' 

It is the issuing protocol that we are most concerned with in this paper. The primary 
of an, ling protocol is to pro.de a means to ensure *- - 
Z matsege^guature pairs in a one-to^ue correspondence wtth execufons of the 
^2o,. There is virtu* no Bmit to the variety of dtferent issmng prMocobt 
ZZ he need by the signer to .sue a c«uin type of digital signal .t „ on!, on 
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the basis of its intended purpose and (presumed) security that one particular issuing 
protocol vill be more suitable than another. "Ordinary" signature issuing protocols 
are only intended to meet the primary purpose mentioned above, and need normally 
not be interactive. If other purposes are to be met as well, then interaction may need 
to he incorporated. 

The most practical type of digital signature schemes known to date originates from a 
technique introduced by Fiat and Shamir [15]. For this reason we will henceforth refer 
to this type of scheme as a Fiat-Shamir type signature scheme. Signature schemes of 
the Fiat-Shamir type have in common that they are derived from three-move sound 
identification protocols that do not leak "useful" information about the secret key of 
the prover (without being zero-knowledge), by replacing the challenge of the verifier 
by a one-way hash of the message and the information sent by the prover in the first 
move; the verification relation of the underlying identification protocol determines the 
signature verification algorithm, and the modified protocol is the signature issuing 
protocol. As a by-product, the interaction is no longer needed, since the signer can 
compute the challenge by itself. Among the known Fiat-Shamir type signature schemes 
are the Fiat-Shamir scheme itself [15], the Feige-Fiat-Shamir scheme [14], the Schnorr 
scheme [21], the Guillou-Quisquater scheme [17], the BrickeilMcCurley scheme [7], and 
the Okamoto schemes [18]. The EIGamal signature scheme [12] and the DSA [11] can 
also be seen as being of this type; as a simple exercise one may want to write down the 
underlying sound identification protocols, and apply the conversion of the challenge 
to a hash-value of the message and the information provided in the first move. (The 
subtle difference is that in both the EIGamal scheme and the DSA, which are identical 
except for the additional "mod q" operator in the verification relation of the latter, one 
does not need to hash in the information provided in the first move; taking c := W(m) 
seems to suflice.) Although no reductions from well-known problems to the security 
of any of these Fiat-Shamir type signature schemes are known, it is generally believed 
that they are secure. 

Since the exposition in Sect. 3 will be in terms of the Guillou-Quisquater scheme, 
we will summarize this scheme here. The computations in the Guillou-Quisquater sig- 
nature scheme are performed in a multiplicative group modulo n, denoted by Z;, with 
n being the product of two distinct large primes. The computations in the exponents 
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axe performed modulo a number For convenience, but without loss of generality, 
we will always assume that * is a prime number that is not a proper dmsor of *e 
order „(») of * another suitable choice would have been to take . to be tw.ce such a 
prime number. Furthermore, in expressions involving multiplications and chvuuons of 
numbers in Z* the "mod n» operator will never be written down explicitly. 

Before describing the three constituents of the Guillou-Quisquater signature sdxeme, 
we win state the RSA assumption [20], since this is part of what the scheme denves 
its presumed security from: 

option 1 Ut » denofc «. 1— 1 <- *** T^! * * 
distribution of the input triple. 

An approve probability distribution may selec. » b, generating ***** » » 
to.lL Prime, ofleng* *, and multiplying .hem. ftomnow 

indication Wou>- wiiltefer to a probability distribution over the spec had sc. tha . 

ly other event. Without loaa of generaiity, we will assume henccfer.h that n and . 
are laerated independent., of ho and are always of the correot form (meaning .ha t 
Z Lance, the plabilUy that . is not prime is aero, inaUad of merely ne^ble), 
and that ho ia generated at random torn Z;. 

The * aenemtian ul.en.hm for tha Gufflou-Quiaquater " 
m input a Lurity parameter *, ganaratea a public hay (»,»,*..*) and » -» 
Tpo^ng sacra. Jy s. = hi", for use by a probable P^^"^ 
The triple (»,,,*.) * gaaeratad aa spealnad in tha RSA «°^^a" " 
polynomial-siz. description of a hash-function that mapa rts mpuB to Z* for aom ap- 
n^Z f such that * < a. Tha hash-function ia generated a« random from a smtabia 
K^*— — Thiafamilyprefcrabl, ■.«—*-. 
as defined by Okamoto [18]. 

A dijM on a measage . ia defined to bo a pair (r„ c) such tha. a. - 
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H(m, r^ 60 )- If the family of hash-function is sufficiently strong (in particular, correl- 
ation-free), then it should be infeasible to algebraically combine several message- 
signature pairs into a new such pair. 

In the signature issuing protocol, So issues a signature on a message m to a prob- 
abilistic polynomial-time receiver fto by generating at random a number w 0 € K, 
and computing r 0 := if* and * := *(«. «,?). It is generally believed that execu- 
tions of this issuing protocol do not help a probabilistic polynomial-time attacker to 
forge signatures, and so that the primary purpose of an issuing protocol is met by this 
particular protocol. 

2.2 Blind Signature Issuing Protocols 

Besides meeting the primary purpose of an "ordinary" signature issuing protocol, in 
a blind signature issuing protocol (a notion introduced by Chaum [8]) an additional 
property must be satisfied. Namely, the receiver in a blind signature issuing protocol 
must be able to retrieve a pair in such a way that it is uncorrected to the view of the 
signer in the issuing protocol. The computations required of the receiver to achieve 
this property are commonly referred to as "blinding." 

Efficient blind signature issuing protocol, are known for a variety of digital signatures. 
Chaum [9] described a blind signature issuing protocol for issuing one particular type 
of digital signatures, called RSA signatures [20]. Okamoto and Ohta [19] proposed a 
general technique that applies to a variety of digital signatures of the Fiat-Shamir type; 
each of these types of signatures can be issued by means of a blind signature issuing 
protocol. 

The technique of Ohta and Okamoto amounts to no* removing the interaction when 
applying the technique of Fiat and Shamir for converting a three-move sound identifica- 
tion protocol into a signature issuing protocol; by having the verifying party (receiver) 
determine the challenge, one may hope that it can blind the issued message-signature 
pair. Indeed, as shown by Ohta and Okamoto, for many schemes of the Fiat-Shamir 
type this works if only a certain random sclf-reducibility property holds. The technique 
does not seem applicable to the ElGamal signature scheme and the DSA. 

For the Guillou-Quisquater signature issuing protocol, the modification of Ohta and 
Okamoto results in the following blind signature issuing protocol: 
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Step 1. S 0 generates at random a number w 0 € Z„, and sends a 0 := w% to Hq. 

Step 2. Ho generates at random a number h € T n and a number f 2 G Z^, computes 
^ ._ H ^ t\h%ao) for a message m of its choice, and sends the challenge cq := 
cd + r 2 mod « to 5 0 . 

Step 3. 5 0 sends the response r 0 := s^tuo to fto- 

accepts if and only if = <*>• (Note that the protocol described up to this 

point is identical to the Guillou-Quisquater identification protocol, with Ho generating 
its challenge from Z, and in a particular way.) If Ho accepts, it computes := 
rohh^ +h<iivv . As can easily be shown, this is a blind signature issuing protocol, with 
(ro, Co) being a Guillou-Quisquater signature on m. 

Although it should be easier to forge signatures when the signer uses the new issuing 
protocol instead of the previous one, since the message can be chosen depending on the 
information sent by the signer in the first move and the challenge can be freely chosen, 
the resulting signature scheme is generally believed to be unforgeable. For the blind 
Guillou-Quisquater signature issuing protocol this belief can be expressed as follows: 

Assumption 2 For any I > 0, no probabilistic polynomial-time receiver can deter- 
mine with non-negligible probability of success I + 1 distinct pairs, consisting of a mes- 
sage and a corresponding Guillou-Quisquater signature, by performing I executions of 
the blind Guillou-Quisquater signature issuing protocol with an honest signer. 

2.3 Secret-Key Certificate Schemes 

Public-key certificates are a well-known cryptographic tool for secure key management. 
The idea is to have a chosen party, called the (certificate) issuer, certify the public 
keys of other parties by digitally signing these pubhc keys with respect to its own 
public key. By widely disseminating the public key of the issuer through a variety of 
media, anyone can verify that it is genuine. Because a public-key certificate is a digital 
signature of the issuer on a public key, certificates on public keys of other parties can 
be publicly verified off-line by using the public key of the issuer. Public-key certificates 
can be used statically (e.,,., in public-key directories) or dynamically, for signature 
transporting mechanisms. 
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As with public-key certificates, with secret-key certificates [3] the objects of interest 
are triples consisting of a secret key, a corresponding public key, and a certificate of an 
issuer on the public key. However, contrary to public-key certificates, in a secret-key 
certificate scheme the certificate is not a digital signature on the public key; the publicly 
verifiable relation between a public key and a certificate thereon is such that anyone 
can generate (in isolation) pairs consisting of a public key and a matching certificate, 
with a distribution that is indistinguishable from the distribution that applies when 
the issuing protocol is conducted with the issuer. On the other hand, as with public- 
key certificates, triples consisting of a secret key, a corresponding public key, and a 
secret-key certificate on the public key can only be retrieved by performing an issuing 
protocol with the issuer; in effect, the certificate is a digital signature on the secret key. 
The certificate tells a verifying party that the public key is authentic if the presumed 
owner of the public key knows a corresponding secret key. 

Since secret keys are usually not intended to be revealed, how is one to go about in 
verifying" the validity of a secret-key certificate? The answer lies in the fact that a party 
that can successfully perform a cryptographic action with respect to its public key (such 
as digital signing or proving knowledge of a corresponding secret key) ordinarily needs 
to know a corresponding secret key. In fact, there is no point in using a public-key 
certificate scheme if the cryptographic actions that axe to be performed with respect 
to a certified public key can be performed without knowing a corresponding secret key. 
Consequently, secret-key certificate schemes preserve the functionality intended to be 
offered by public-key certificate schemes; see [3) for further details. 

Regardless of the type of certificate, we will refer to a pair consisting of a public key 
and a matching certificate as a certified public key, and to a triple consisting of a secret 
key, a corresponding public key, and a matching certificate as a certified key pair. A 
certificate scheme consists of several items. Similar to a digital signature scheme, a 
verification algorithm is needed that determines what exactly constitutes a certificate 
on a public key. We also need a key generation algorithm that generates key pairs for 
the issuer, and a certificate issuing protocol. In addition, we need a key generation 
algorithm for the receiver of a certified key pair; this algorithm specifics which key 
pairs are considered valid for certification. Finally, in case of a secret-key certificate 
scheme there must exist a simulator that simulates certified public keys with the same 
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probability as that by which they are generated by the issuing protocol. 

Of course, secret-key certificate schemes and public-key certificate schemes differ 
in many aspects. An important disadvantage of the former is that they are much 
harder to design than the latter, especially when the issuer must be prevented from 
learning the secret keys of the issued triples. On the positive side, with a secretly 
certificate scheme the information that is listed in a public-key directory cannot be of 
help to attack the signature scheme of the issuer; the whole directory could have been 
generated by an attacker itself. Perhaps the most important advantage of secretly 
certificates over public-key certificates is one that is the subject of our studies in this 
paper: they seem much more suitable for the construction of restrictive blind signature 
schemes. 

In [3) a particular class of embodiments of secret-key certificate schemes was de- 
scribed, based on signature schemes of the Fiat-Shamir type; each of these embodi- 
ments can be proved to be as secure as the Fiat-Shamir type signature scheme from 
which it has been derived, and triples can be issued without the issuer learning the 
secret keys. According to tlus construction, a secret-key certificate scheme can be 
derived from the Guillou-Quisquater signature, as follows. On input a security pa- 
rameter k, the key generation algorithm generates a public key (n,t>, /*,*«(•)) and a 
corresponding secret key (x, y) for the certificate issuer S. Here, («, v,h,H(-))mdx 
arc generated as described by the key generation algorithm for the GuiUou-Quisquater 
signature scheme, and g and y are generated according to the same distribution as that 
by which h and x are generated. In particular, h = x v and g = y°- 

A secrel-key certificate of 5 on a pubfic key ft, of a receiver TU, for some i € N, is a 
pair (r, c) such that 

c = H(ft i ,r u (/ l /wn- 

A secret key of TU corresponding to its public key fu is a pair (s«, a u ) € Z« x %" n such 
that 

(Other choices can be made as well; see [3, 5].) 

In [3] an "ordinary" issuing prvtocol is described that enables S to issue a certified 
key pair in such a way that it cannot learn a secret key corresponding to the pubhc 
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key that Hi ends up with. In Sect. 3 we will develop a new issuing protocol for this 
particular secret-key certificate scheme, to demonstrate the new technique for designing 
restrictive blind signature schemes. 

3. Restrictive Blinding op Secret-Key Certificates 
We now get to the heart of the matter. In a restrictive blind signature issuing protocol, 
the objects of interest are triples, consisting of a secret key, a matching public key, and 
a certificate on the public key; contrast this to the "ordinary" blind signature issuing 
protocols discussed in Subsection 2.2, which are concerned with pairs. Similar to 
ordinary blind signature issuing protocols, the receiver in a restrictive blind signature 
issuing protocol should be able to ensure that the public key and the certificate of such 
a triple are uncorrelated to the view of the signer in the issuing protocol. However, the 
receiver should not be able to modify a certain non-trivial predicate of the secret key 
while blinding about. This is what these issuing protocols derive their name from: on 
the one hand, the receiver should be able to perform blinding operations, on the other 
hand the blinding operations at the receiver's disposal should be restricted such as to 
prevent blinding of the predicate intended by the issuer to be blinding-invariant. 

One can distinguish between restrictive blind public-key certificate issuing protocols 
and restrictive blind secret-key certificate issuing protocols, depending on the type 
of certificates used. Restrictive blind public-key certificate issuing protocols can be 
thought of as being a generalization of the withdrawal protocol in the untraceable 
off-line cash system of Chaum, Fiat and Naor [10]. 

We now proceed to demonstrate that a restrictive blind secret-key certificate issuing 
protocol can be designed for any Fiat-Shamir type signature scheme for which an 
ordinary blind signature issuing protocol can be constructed by applying the blinding 
technique of Okamoto and Ohta. A formal description of the general construction 
would be rather unwieldy, and so we will explain the technique on the basis of secret- 
key certificates derived from Guillou-Quisquatcr signatures (which we described in 
Subsection 2.3); this should make it much easier to understand why the construction 
works. Exactly the same design technique applies to secret-key certificates based on 
at least any of the following Fiat-Shamir type signature schemes: Fiat-Shamir [15], 
Brickell-McCurlcy [7], Feigo-Fiat-Shamir [14], Okamoto [18] (several schemes), and 
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Schnorr [21]. 

3.1 Restrictive Blinding for the Guillou-Quisqwter Secret-Key Certificate Scheme 
In the restrictive blind issuing protocol, Hi will receive a certified key pair (s«, s u ), h' it 
(/, d), with the blinding-invariant predicate of the secret key being equal to Soi mod v. 
The apostrophes on the public key and the certificate serve to emphasize that they will 
be uncorrected to the view of S. We will assume that S initially provides Hi with 
a number s«, generated according to some appropriate probability distribution over 
Z., and will denote g~ by h*. Note that the pair (s w , 1) is a secret key corresponding 
to public key fc; one can think of K as the public key that is to be blinded to AJ. 
For technical reasons, related to the proof of Proposition 8, we will assume that s« is 
generated independently of h. For all practical purposes this is not a restriction. 

The issuing protocol is as follows (sec Fig. 1): 
Step 1. S generates at random a number w € Z*. and sends a := W to ft*. 
Step 2. Ki generates at random two numbers s lu U € Z*, and a number h € Z.. ft* 
computes h\ ~ Mf«, d := «(AJ, «!(/> W. and sends c:=d + L 2 mod « to 5. 

Step 3. <S sends r := {xy 30i ) c w to 7^. 

accepts if and only if r'(ft hi)-' = *• * this verification holds, 72, computes / := 
rhihluy^^u- 

Observe that we have applied the technique of Okamoto and Ohta to the Guillou- 
Quisquatcr signature issuing protocol, with S performing the protocol with respect 
to a combined public key that is the product of its own public key and the "not-yct- 
blinded" public key of and Hi blinding not only c and r but also this combined 
public key. In an (informal) nutshell, this explains the general technique. 

Why should this construction work? For this to become clear, we will prove that our 
exemplary scheme described above is a restrictive blind secret-key certificate scheme; 
pay particular attention to Proposition 8, as its proof in essence provides the answer 
to this question. 

Following Feige, Fiat and Shamir (14), we will denote by 1 a party Z that follows 
the issuing protocol, by Z a probabilistic polynomial-time party Z that may deviate 
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from the issuing protocol in an arbitrary way, and by 2 a party Z with unlimited 
computing power that may deviate from the issuing protocol in an arbitrary way. 



a := w v 

a 

d := ^{h^tlihhi^a) 
c := d + 1 2 mod v 

c 

r := [xrf^Y'w 

r 

< 

r 9 {hh i )- c = a 

Fig. 1: The issuing protocol 

8.2 Proof of Correctness 

The secret-key certificate scheme defined in Subsection 2.3, with the issuing protocol 
of Subsection 3.1 substituted for the ordinary issuing protocol, defines a new certifi- 
cate scheme. To prove that our new scheme is indeed a secret-key certificate scheme 
(correctness), wc must prove that Ui in the issuing protocol receives a certified public 
key. Moreover, since we have changed the issuing protocol it is not immediately clear 
whether certified public keys can still be generated with indistinguishable probability 
distribution, without cooperation of S\ we will prove that property next. 
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Proposition 1 If% accepts, then 

(s(h,si.), K, (rV) 

is a certified key pair. 

Proof It is clear that (*,*) is a secret key corresponding to «, and so we must 
show that (r'.cO is a secret-key certificate on *J. In Step 2 of the issuing protocol, *, 
computes </ := H{KAW a )- Therefore it suffices to prove that (r*)-(fc*5) - 
t ? (fcfc)*« for the assignments made by This can be seen as follows: 

= (rt i (hh i y+ i *«'"'y(hh)- cf 

. = r«^(W^ H4diV '' ) ('»'K)" e ' 

9 ((AA,)«o)«J(/iA,) ,,( ^ ,,dh ' w) (fcM- rf 
= (/ l /i,.)(«'+ t » moa ') +, ' (< ' +,,div, ' ) aiU ftft <)" ? ' 

The substitution in (*) is allowed because ^ accepts only if r"(fcfc)~ e = «• 



□ 



Proposition 2 Tfte new certtfeafe scheme is a aecrrf^ey certificate scheme. 
Proof We will construct a polynomial-time simulation algorithm A that generates cer- 
tified public keys with the same probability as that according to which they are gener- 
ated in the issuing protocol between S and %. On input the public key (n, „, h, g, «(•)) 
of 5 A generates at random two numbers t u h € K, computes := *?, c :- 
and r := tfr and outputs the pair (r,e). The output of A is a ccrt.ficd 

public key: 

= n{hi t {rtr) v ) 

= H(h i ,r v {kli i )- e ). 
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Since v is co-prime to <p(n), and the numbers t u l 2 in Step 1 are chosen at random 
from Z*, the output distribution of A is identical to the distribution that applies when 
certified key pairs are issued to % by ~S. D 

S.3 Proof of the Primary Purpose 

We go on to prove that the primary purpose of issuing protocols, namely the one-to- 
one correspondence between executions of the issuing protocol and certified key pairs, 
holds for the new certificate scheme. The one-to-one correspondence should hold even 
if multiple receivers, each of which may perform the issuing protocol for a different 
number s K , conspire. A conspiracy should be thought of as being one probabilistic 
polynomial-time Turing machine, composed of the "participating" receivers; this is 
easy to formalize, and will be left out here. 

Wc first need two lemmas. In the proof of the first lemma we will construct a 
simulator .4 that moves to a third step only after any / executions of the issuing 
protocol have been simulated. To ensure that A always halts in polynomial time in a 
defined state, we can let A halt if some polynomial amount of time has expired without 
any requests for executions of the issuing protocol. To keep the proof simple wc will 
not incorporate such a notion of timing, but will instead implicitly assume its presence; 
this det ail can easily be filled in. The same remark pertains also to the simulators used 
in later proofs. For a definition of witness hiding, see Fcige and Shamir [I3j. 

Lemma 3 Iftfie blind Guillou-Quisquater signature issuing protocol is witness hiding, 
then no conspiracy can compute g l ' v with non-negligible probability of success. 
Proof Suppose that a conspiracy can misuse I executions of the secret-key certificate 
issuing protocol to extract with non-negligible probability of success g 1 '*. Wc will 
construct a polynomial-time algorithm A for extracting the witness of <Sb in the blind 
Guillou-Quisquater signature issuing protocol. 

Algorithm A, on given as input a public key (n,v, fia,H(-)) of So, performs the 
following steps: 

Step 1. (Simulate the key generation for S.) Set g := fto- Generate at random 
an clement x € 2£, and compute h := x v . The simulated public key of S is 
(n, v, ft, g, H(-)). 
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Step 2. For each receiver in the conspiracy, simulate the actions that 5 would perform. 
For a receiver perform hereto the simulation as follows: 

• (Generation of the blinding-invariant part of the secret key.) Generate a 
number s« € Z. for according to the probability distribution by which 

5 generates the blinding-invariant parts. 

• (The issuing protocol.) 

Step 1. Receive oo from So", and pass a := 4* on lo ^- 
Step 2. Receive c from Ui, and pass Co := c on to <S 0 . 
Step 3. Receive r 0 from So, and pass r := r^x' on to Hi. 

Continue this simulation until I executions of the issuing protocol have been 
performed. 

Step 3. Check if the conspiracy has g 1 '* on its tapes. If not, then halt. 
Step 4. Output </ 1/u . 

By definition of the key generation of So, and that of A, the P ublic_key in Step 1 
is simulated with the same probability distribution as that by which 5 generates Us 
public key. The response that to computed by A in the simulated issuing protocol is 
the same as the response that 5 would compute: 

r» = (rr* c ) v 

= 

6 (/tfao)""/^ 
= (.9 5Oi ) C0 a 0 <,i ft c 
= /i*a/i r 

= (h/n) c a, 

where the substitution in (*) is allowed because the response of S 0 in the blind Guillou- 
Quisquater signature issuing protocol is always correct. From this it easily follows that 
the views provided by A in the simulated issuing protocol have the same distribution as 
those provided by S in the issuing protocol, regardless of the probability distribute 
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by which the receivers in the conspiracy generate their challenges. Hence, Step 4 is 
reached by supposition with non-negligible probability. 

To complete the proof, observe that each execution of the simulated issuing protocol 
constitutes exactly one execution of the blind Guillou-Quisquater signature issuing 
protocol with So. For the output of A in Step 4 we have g l ' v = $ v y which is the 
secret key of Sc]. Since A performs only polynomially many executions of the protocol 
with 3o, this contradicts the assumption that the blind Guillou-Quisquater signature 
issuing protocol is witness hiding. a 

Note that a similar result can be proved unconditionally for the restrictive blind 
secret-key certificate schemes that can be derived by our technique from the signature 
schemes of McCurlcy-Brickell [7] and Okamoto [18], since these schemes arc known to 
be witness hiding. Furthermore, the result also holds if a conspiracy can u wirc-tap" 
executions of the issuing protocol with honest receivers; in Step 2 of the simulation 
obviously the same simulation can be used for these honest receivers. 
The proof of the following lemma is trivial, and is therefore omitted. 

Lemma 4 If Assumption 2 is true, then the blind Guillou-Quisqualer signature issuing 
protocol is witness hiding. 

We are now prepared to prove the one-to-one correspondence. In the following, a 
conspiracy is said to be able to forge a certified key pair if it can compute with non- 
negligible probability of success / + 1 distinct certified key pairs by performing I exe- 
cutions of the issuing protocol with 5, for some / > 0. 

Proposition 5 If Assumption 2 is true, then no conspiracy can forge a certified key 
pair. 

Proof Suppose that a conspiracy can misuse any I executions of the issuing protocol 
to extract with non-negligible probability of success i* distinct certified key pairs, with 
I* > L Wc will construct a polynomial- time algorithm A for breaking Assumption 2. 

Algorithm A y on given as input a public key (n,v, /?, 0 , H{-)) of *S 0 , performs the 
following steps: 
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Step 1. (Simulate the key generation for 5.) Set h := ft* Generate at random 
an element y € K, and compute g := f. The simulated public key of S is 
(n, h, g ,«(•))• 

Step 2. For each receiver in the conspiracy, simulate the actions that 5 would perform. 
For a receiver %, perform hereto the simulation as follows: 

• (Generation of the blinding-invariant part of the secret key.) Generate a 
number s* € Z v for according to the probability distribution by which 
S generates the bMnding-invariant parts. 

• (The issuing protocol.) 

Step 1. Receive a 0 from So, and pass a := ao on to H*. 
Step 2. Receive c from and pass co = c on to S 0 . 
Step 3. Receive r 0 from S^, and pass r := T 0 y SoiC on to Ui. 

Continue this simulation until I executions of the issuing protocol have been 
performed. 

Step 3. Chock if the conspiracy has i* distinct certified key pairs on its tapes. If not, 
then halt 

Step 4. For each of the i* distinct certified key pairs, (*,*„). h 'u (r', cO, compute 
co := C, r 0 := r , (y w si<)- c ' and m := and output m, (r 0) Co). 

By definition of the key generation of So, and that of A in Step 1, the public key in 
Step 1 is generated with the same probability distribution as that by which S generates 
its public key. The response that is computed by A in the simulated issuing protocol 
is the same as the response that S would compute: 

r « = (r 0 y sw T 
= rS(y") SOiC 

= {h c a)h c i 
= (hhi) e a, 
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where the substitution in (*) is allowed because the response of So in the blind Guillou- 
Quisquater signature issuing protocol is always correct. Prom this it easily follows that 
the views provided by A in the simulated issuing protocol have the same distribution as 
those provided by 5 in the issuing protocol, regardless of the probability distribution by 
which the conspiracy generates its challenges. Hence, Step 4 is reached by supposition 
with non-negligible probability. 

We next show (i) that the output of A consists of Z* messages with corresponding 
Guillou-Quisquater signatures, and (ii) that all these pairs are distinct with at least 
overwhelming probability. Property (i) follows from 

Co = d 

= nmryihh'r') 

where the substitution in (*) is allowed by definition of a secret-key certificate. 
To prove property (ii), consider any two certified key pairs, 

Ooi,$ H ), K (r,c) 

and 

Suppose that the two corresponding pairs, as computed by A in Step 4, axe identical; 
they arc m, (r (y soi s u )- c 7 c) and m*, {r*{y°*s m u )- c \ c*). We will prove that if these 
two pairs arc identical, then the two certified key pairs arc identical. Applying the 
definition of a sccrct-kcy certificate to the two certified key pairs, we have 

c = H{h u r v {hhi)~ € ) 

and 

c - = w(^(ry(^ t T c '). 

Since hi = h\ and c = c* by equality of the two corresponding pairs, it follows that 
H{hi, r"(hhi)- e ) = H(hi, (r'yihhi)-*). 
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Because «(•) is collision-intractable, - with overwhelming 

probability, and hence r = r* with overwhelming probability. This leaves us with 
the possibility that s„) differs from Suppose that s w # s^modx, 

(the other possibility can be taken care of in a similar way). Let e,f € N be such 
that (s w - 4) e = 1 + / v; such a pair exists because * * ^ mod «, and can 
be computed efficiently by applying the extended Euclidean algorithm. Then from 
9 >« s ». = hi = h! = g'Hs'uY it follows thai 

= 9 l+Sv 

= g(g f Y, 

and m-M^/gf = ^- Since the certified key pairs in Step 4 are known by 
the conspiracy (and so c,f can be computed by the conspiracy), while its new m the 
simulation is exactly the same as in the issuing protocol, this means that the conspiracy 
has been able to determine g*. According to Lemma 4, the blind Guillou-Quisquater 
signature scheme is witness hiding if Assumption 2 is true, and so by Lemma 3 we 
have a contradiction with Assumption 2. So the certified key pairs are equal, and 
hence property (ii) holds. 

To complete the proof, observe that an execution of the simulated issuing protocol 
constitutes exactly one execution of the blind Guillou-Quisquater signature issumg 
protocol with So. Because of this one-to-one correspondence, A performs m total I 
executions of the blind Guillou-Quisquater signature issuing protocol. This contradicts 
Assumption 2. 

In combination with Proposition 1, which states that an honest receiver receives a 
certified kev pair when it performs an execution of the issuing protocol, tins result tells 
us that there is a one-to-one correspondence between executions of the issuing protocol 
and certified key pairs. In other words, the primary purpose of issuing protocols . 
satisfied. 
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3.4 Proof of the Property of Restrictive Blinding 

We next turn to proving that the issuing protocol is a restrictive blind signature issuing 
protocol. We hereto need to prove (1) that the public key and the certificate can be 
blinded by the receiver, whereas (2) the bhnding-invariant predicate of the secret key 
cannot. We start with the first of these two properties. 

Lemma 6 For any certified public key and any possible view of S in an execution of 
the issuing protocol in which % accepts, there is exactly one set of randornchoices that 
% could have made in that execution of the issuing protocol such that Hi would end 
up with a triple that encompasses that particular certified public hey. 
Proof The response r of S is such that ^(ft/n)" 6 = a, since % accepts. We corre- 
spondingly define the following set: 

Views {S) = {(a,c,r)lfl,r€Z;andc€Z„suchthat 
r v (hhi)- c = a}. 

Furthermore, we introduce the set 

Choices^) = {(s lu t u h) I e l\ and h € Zj. 

Consider any certified public key h it (tV). We will show that for all S-vicw € 
Views (5) there is exactly one triple (s u , h, h) € Choices^) such that 5-view corre- 
sponds to an execution of the issuing protocol in which Hi receives the pair h h (r ; . * '). 
We must take into account that S can make smart choices for its public key (n, 0, h, g, 
H(-)) and Soi- 

Suppose that S-vicw corresponds to the issuing of the certified public key fej, (r', d). 
We will successively determine uniquely the numbers *u,t u U that must have been 
chosen by lli. First, s u is uniquely determined from Soi.^'i *n = (*5 9~' 0, ) l/ *- 
Note that s u exists and is uniquely defined, since v is co-prime to <p(n). Next, h is 
determined from c, d according to c = d + t 2 mod v. Note that t 2 exists and is uniquely 
defined because Z„ is a field. Finally, the choices for s u and f 2 , together with r.r 1 and 
d, uniquely determine Z, as i, = r'(r t|(fcfc i ) <f+,, *"«6)" 1 - 

For these choices of the three variables all the assignments and verifications in the 
execution of the issuing protocol would be satisfied by definition, except maybe for the 
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have chat d = K(W(» AS)"')- "* * ^ pl *\' 1 \ ( "i v M 

<■(/, M*. for lie choice, for , u , <■ and made above. This caa be denvcd exactly aa 
t le pit of Won 1, cousideriag .bat the sabatitutiou i. W is alowed bete 
because S-vicw € Views (5). 

Proposition 7 If<R< follow the issuing protocol tf.cn the issued certified public key is 

verfectly blinded. — 

rlf This is aa iraraediate couse,ueaca of U- 6 aad the fact that * geueeates 

triples (a„,t.,l.) uniformly at raadom from Choi«s(Ki). 

We aow tara to ptoviag the seeoad property, to, which we aced a ue» aaaumpUoa. 
^ modify the Guilioa-Quisquater Mta*. -toco. "» ^ *7™; 
"a" ft, a. random la each exeeetioa of the prou,col, iastead of fixmg «-* 

l the ptoear caa compute corvee, mepoasca with ,eapo=, to two drifcrcn, ; 

tte verifier, thoa it «bnowa" ftn*. Applying the gencal teenage of 

U coavcrttag idcutificatioo scheme, iato signature schemes to . ,s at drfiod tdc . fi 

ZZ prol, (cottcapoadiaely tabiag c *»l .0 «(»>,«•)). - ~ .be 

mZ. m, .. To owe that i. should be iafeasible » de.ecmiae ia isolatroa pa,, ft, 

TJw, bout Imowiag ft}'", -Ob that c = «(*., « — » «- *» 

<r 0 ,co;, wit -i, w i,-cx {or a predetermined and 

r^ L ^ of tba act p,opoat,oa ; aitcaatMy, we can, 
^Jdled .be verificatioa relation fa, the issuing ptotoco.., Substring ftftr to, 
ho, wc get the following assumption. 

l nn 1 There exists a probabilistic polynomial-time Turing machine M (the 

r J, ,pe WT end m«dam ,pe »r..-. - ^ ^ ^ 

(», a, ft, «(■)) » tt «»«»«*«• "™ teWi,! ' *""" ^ ' 

c = K(fc,r , (ftft < r'), 
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then M(A,WT,RT,(n r v,h y H(-))) = {hhi) l ' v with non-negligible probability. The 
probability is taken over the coin tosses of A and the distribution of the input tuple, and 
the distribution of the input tuple is as specified for the Guillou-Quisquater signature 
scheme. 

This assumption is all the more plausible considering that we allow an attacker to forge 
pairs only from scratch, and that the knowledge extractor should succeed with only 
non-negligible probability. 

In the following proposition, we will study the issuing protocol with respect to an 
"isolated" receiver. 

Proposition 8 // the RSA assumption and Assumption 3 are true, then ft, cannot 
retrieve with non-negligible probability of success a certified key pair (s^ t s u ), Ik: (r,c) 
for which differs modulo v from its blinding-invariant part s«. 
Proof Suppose that ft; can misuse / executions of the issuing protocol to extract with 
non-negligible probability of success a certified key pair such that afo ± mod v. We 
will construct a polynomial- time algorithm A for breaking the RSA assumption. 

Algorithm A, on given as input a triple (n.v.Ao) generated as specified in the RSA 
assumption, performs the following steps: 

Step 1. (Simulate the initial key generation.) Set g := ho. Generate at random an 
element iGZ; and an element s w € Z v (according to the probability distributor! 
by which S generates the blinding-invariant parts), and compute h := x v g"**. 
Generate H(>) in the same way as described in the key generation for the Guillou- 
Quisquater signature scheme. The simulated public key of 5 is (n,i>, Kg,H{ )). 

Step 2, Simulate for Ui the actions that S would perform, as follows: 

• (Generation of the blinding-invariant part of the secret key.) Use sch as the 
invariant part of the s<x:ret key for 

• (The issuing protocol.) 

Step 1. Generate at random an element w of Z* . Compute a := w v , and 
send a to ili. 
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Step 2. Receive c from 

Step 3. Compute r := x c w, and send r to 7lj. 
Continue this simulation until J executions of the issuing protocol with % have 
been performed. 

Step 3. Check if % has on its tapes a certified key pair V, (f, d) such that 

4 ^ soi mod t>. If not, then halt. 
Step 4. Run the knowledge extractor M on all tapes of A and % and the tuple 
(„ „,*,«(.)). Compute ej€Nsuch that ( Sw -4).e = l + /^byapplym g thc 
LndcdEucUdeandgorithmtsuchapahcxistssmce^^^modt,). Denotmg 
the output of M by 4 compute {d/x stfg-', and output the outcome. 
Note that we have made use of the knowledge extractor M of Assumption 3 in Step 
, of this simulation, and have viewed $ and A as one Turing machine (this can casuy 
bo formalized, and is omitted here). 

By definition of the key section of A in St,,, 1, *o public ta, * Stop . is 
with the same probabifity distribution as that by which 5 generate* .* pubhc toy. Th 
s^i that is con.pu.cd b, A in the sinndatcd issuing protocol is the sanrc as the 
response that S would compute: 
r» = (x'w)° 
. = {x v ) e w v 
= {h9 s «) e a 
= (,i/i<) £ a. 

From .his it easily follows thai tho vie. of S, that is provided by A in the simulated 
L„7n^ protoco. has the » distribution as that provided by S in tho ,»ums pre- 
Zt ^m of 'ho probability ^rihoUo. b, which *, generate « 
1 d«pHe of the tricky way in which A grates ft. Hence, Step 4 - reached by 
supposition with non-negligible probability. 

By Assumption 3, the ontpu, d of M in Step 4 is e^nat «,(/. Kf — 
probability, and in that case we have 
{(d/xeuYY = MI* 
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= (x*g- s « 9 '«sl i /x v sl i ) e 

= 

= g(9 J r- 

Since 5 = ho, it follows that (d/zs.OV' = C »»d «° the output of .4 in Step A is 
equal to fcp with non-negligible probability. This contradict the USA assumption. 
Hence, if Assumption 3 and the USA assumption arc true then it cannot bc.thc case 
Lhal s' m ? s« mod ti with non-nogligiblo probability of success. . □ 

Observe that the proof of this strong result makes use of the fact that the simulator 
cau determine the public key of 5 in terms of without this changing the distribution 
of the views for As a quick comparison with the proof of Proposition 2 will reveal, 
this proof technique owes its existence to the simulatability of certified public keys that 
is inherent to secret-key certificates. 

3.5 Sequential Executions of the Issuing Protocol 

Obviously, in applications of practical interest there are multiple receivers, as has been 
emphasized throughout by the use of a subscript i. We can distinguish between multiple 
executions of the issuing protocol with respect to the same number s«, or with respect 
to different s^'s. In the former case, Proposition 8 still holds, independent of whether 
the executions of the issuing protocol are performed sequentially or in parallel by 5; 
but this case is hardly of practical interest. So we will now study the latter case, in 
which issuing protocols arc executed by 5 with respect to different blinding-invariant 
numbers. 

When 5 sees to it that it performs executions of the issuing protocol with respect 
to different blinding-invariant numbers only sequentially, Proposition 8 provides fairly 
solid evidence that not even a conspiracy of receivers will be able to blind the presumed 
blinding-invariant predicate of one of their secret keys. The motivation for this is 
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that essentially no cooperation is possible between different receivers while performing 
executions of the issuing protocol. This seems to justify the following conjecture. 

Conjecture 1 // S mokes sure that it never performs two executions of the issuing 
protocol in parallel in case they involve different blinding-invariant numbers, then the 
defined certificate issuing scheme is a restrictive blind signature scheme. 

It is stressed that it cannot hurt if S performs executions of the issuing protocol in 
parallel that pertain to the same blinding-invariant number. 

In many practical applications the simple measure of not running executions of the 
i£BU ing protocol in paraliel, in case they pertain to different bUmling-invanant parts, 
will certainly suffice. Namely, consider two such executions of the Ksumg protocol. 
S starts by sending a number a in the first execution. As soon as 5 has recerved a 
challenge number c for this first execution it sUrts the second execution; the execuUon 
of the first protocol can bo completed while the second Ls still runnmg. Even though 
the protocol executions overlap in part in this manner, they clearly are performed 
sequential!. The only way in which the first receiver can hold up the second * by 
not immediately responding with a challenge; but 5 can simply refuse to provide a 
corresponding respond if the delay between sending out a and rece.vmg c * too large, 
and proceodlyw,,. A semaphore, or flag, can keep track of whether an execute 
of the issuing protocol is still "active." 

What confutes a fair" pitted delay depends on .ho torero at the par- 
ticular network that is being ascd, aad oa the coa.puta.ioa speed of receivers, leavers 
that accidental exceed the allowed delay caa simply try again in a new cxecuuou ol 

.protocol («. la this respect it i, important to aotc that the 
the Lag protoco! (and ia aU other issuing protocols thai result front the presented 
Ln iq uc needs u, perform ou,y a single on-linc (modular) multiply compu* 
the second argument of d; Che other computations can be performed olt-hn,, (The 
education oHuc hash-value o( the two accent*, and o t the addit.ru. modulo a- 
,0, , can be done comparatively very last so that we can ignore , tn our argun, «u, 
A rough lower hound for a fair delay time (which may even vary par recerver) « » 
double the time nr»dod tor the inflation to Cravn, through the acUmrk to. J» 
n, aad bach, and add to that the time needed by the receiver to perfonn the on-lrno 
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multiplication; the chosen value for the allowed delay time need usually not exceed this 
lower bound by much. In case S can rely on the security of certain parts of the net- 
work infrastructure, significant reductions can be obtained. For example, if receivers 
can perform the issuing protocol by inserting a smart card into one of many secured 
terminals (or pointing a hand held with infrared communication channel), and S trusts 
these terminals, then only the time for the information to travel between smart card 
and terminal need be considered; this will be negligible. 

If requests for executing the issuing protocol "arrive" like a Poisson process, this 
strategy in effect is the M/D/l model with feedback from qucueing theory. Of course, 
tbe feedback may be purposely limited by 5, to shut out receivers that frequently 
exceed the permitted delay. Efficiency improvements can be made by letting S use k 
secret keys, instead of a single one. This allows k times as many receivers to be served 
iu the same time span, since executions with respect to independently generated secret 
keys of S can obviously be performed in parallel without danger. In effect, we then 
switch to the M/D/k model (with feedback). The trade-off is that the unlhikability oL 
views to certified public keys does not hold with respect to different public keys of 5. 

3.C Parallel Executions of the Issuing Protocol 

Conjecture 1 is false if S performs executions of the issuing protocol in parallel when 
different blinding-invariant numbers are involved. Let .$« be the blinding-invariant 
number for 7^, and $ oj # s* mod v that for Tl 5 \ the corresponding "not-yet-blinded" 
public keys are hi and hj. In its simplest form (leaving out additional computations 
that need to be performed to completely blind the certified key pair, in order to prevent 
unduly obscuring of the description), the attack on the two parallel executions of the 
issuing protocol is the following: 

(Step 1 for 7^) S generates at random a number Wi 6 Z*, and sends := w\ to Hi. 

(Step 1 for Kj) S generates at random a number w, € Z„, and sends a, := to Hj. 

(Cooperation between 7^ and Hj) 7^ and 11, compute h k := g 9 » k for an arbitrary 
number s 0 * of their choice {s Qk need not be in Z„; any number in N will do). 
They then compute c k := H{h k ,ctiaj). 

(Step 2 for 7^) Hi sends c\ := c k {s 0j - s Qk ){s 0j - s^)' 1 modv to 5. 
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(Step 2 for Hi) Hi sends c, := c fc (so* - " s*)" 1 mod v to 5 ' 

(Step 3 for Hi) S sends n := (xy* 0 *)^^ to K,. 
(Step 3 for ft;) S sends r, := (xy s «) c ^, to 

TZi and ft,- accept if and only if 

rfthhi)— =Oi and rJ(fc^H = a i- 
If this verification holds, then Hi and ft, compute 

/.-((ei+c^divu) -((eiSos+e^Odiv.) c*»o* divt, 

r/t :— ~t< j'* f 
Here and in the proof below, we make abundant use of parenthesis in the expressions in 
the exponent, in order to prevent confusion about the priority of the involved operators. 

Proposition 9 // ft and Hj accept, then 

(so*,l), lik, (n,Ck) 

is a certified key »air. 

Proof It is clear that ft* = tf» i», and so we must show that ft fc) (r>, c k ) is a certified 
public key, i.e., that 

c k = n{ti h ,rt(hli k )- c "). 
Since ft and ft, compute c fc according to r. k := H[h k , *«,>, this follows from: 

ai(lj = .^(/.^(/.fciP 

= (r i r i ) 0 ft- (£i+ ^ ) 5- (£i40< ^ iny) 

_ ^-((ei | e> ) mod I «i) «•'».>) 

9 -((cji0i+Cj>0j) mod o)-o ((ii»0i+c>»0>) d ' v v ) 

= ( rir ^-(^^) divt ' ) 5- ((Ci " K+ ' : '' S0i)<iiV, ' ) ) V 
^-((ciTC^ mod i>) 9 -((ci«oi-Cj»«j) nlod '') 
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fc-ckg-ttcisoi+cjsoj) mod v) 

( ~ } (nrjhr^*^ ^g-fa*** 0 ^ ^ v) ) v 

fl~ € k g-( c k*Oh modv) 

= {riTjhrU* ^ div •>0-« e *** +l * , «* ) div v) ) v 

fc-c* g-c k s<> k +v ((c k s 0k ) divv) 

= (r<rj/i" ((ciT<:,) div w ^~ ((r - Soi 1 c J 50 ' )div v >0« Cfc5 °*> dIv v) ) v 

h-'kg-CkSOk 

= r£/T<V)" CA 

The substitution in (*) is allowed because 2 l < v and so 
(Ct + Cj) mod v = (c fc (.9 0 — 5o/b)(5 0 j - mod u 

= (Ck{S0j - 5 0 jk)(.9 0 j - 50i)~ l 

-K' fc (6' 0 jfc - 6*(H)(i'oj - ^(h)" 1 ) mod v 
= c*(*oj - Sd,-)(«0j ~ soi)" 1 niod V 
= Ck mod v 

Likewise, since 

{CiSoi + c^oj) mod v = (s<h((cfcS 0 j - c k s O k)(s 0 j - 5(h)" 1 mod v) 

+Soj{{CkSo k - c fc 5oi)(soj - so,)" 1 mod v)) mod t; 

= {Soi{c k Soj - C k Sok){Soj - Sot)" 1 

+ *o;(cfc*oJk - ^^o,) (.9 0 ; - .so,)" 1 ) mod ?; 
= (sojCfcSofc ~ 5 a c Jk Sofc)(5oj - 5ot)" 1 mod V 
= c fc 5 0 jb mod v 

the substitution in (**) is allowed. a 

In case the application really demands that S can securely run executions of the 
issuing protocol in parallel, without any restrictions, we must therefore alter the issuing 
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protocol. The following minor adjustment is believed U> suffice for this purpose. Rather 
than revealing * to ^ befor* the execution of the issuing protocol, 5 does not make 
it known until it has received c of % in Step 2; instead, S only makes - g known 
initially. Furthermore, S chooses s„ at random from Z„: computing Sw from ft, then 
requir. breaking the Discrete Lo 9 assumption in K- This modification does not m 
any way prevent * from performing the necessary computations m Step 2, smcc only 
/ii needs to be knowa to Hi* 

Observe that the attack described above requires the attacking receivers to compute 
,heir respective challenges in terms of * and and so this particular attack no 
longer works for the adjusted issuing protocol. 

Is the modified issuing protocol secure under parallel executions? I strongly believe 
so although I have not been able to come up with a proof with respect to some 
llblettractability option. If Conjecture ! is true them any ^ 
raU st be such that each of the two challenges «, e, depends on each of «, a,- Based m 
this observation, an ardent for the security of the modified protoco can be g v^ 
Because of the hand-waving nature of this argument, it will not be mcluded here, the 
interested reader can find it in the appendix. 

3 7 Encoding speafic information into the blinding-invariant part 
' K Conjecture 1 is true, then the non-adjusted version of the issumg protocol 
sequential executions readies* of ft. distribution of s„. since none of the results t a 
r Vave proved depends on the distribution of so. Therefore, 5 can use the en n 
number s oi to encode specific information in, representing for instance a quango 
Zential [51; 5 in effect then generate according to a highly degenerate d.st„bu- 
tion. 

1» the modiucd protocol uot the entire blinding-invariant number * - be used to 
J'L spec* —on, 3,nce it should be .nfeasible for .be revive, o conrpute 
7, It I »— * *«. that 5 «. - P»t of tbe W. of (,o ^ 

a Relate of *) fo. th* purpose, as .ong as tbo Discrete L*g problem - K -~- 
io actable with respect to .be chosen dis.ribu.ioa for *». But «c can do even bctte 
1 tt Observel. .be on,, purpose o, tbe ntodrncatioo to the issuing protoco. 

t Irc that cannot be reputed Com * in tbe «mu ported « 
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a and reluming c. If we use the queueing measures described in Subsection 3.5, this 
may leave the attacking receivers in a realistic application with perhaps no more than 
a fraction of a second to compute a discrete logarithm with respect to and so the 
probability distribution for s 0i can be highly degenerate. In other words, S can use 
almost all the bits of s Gi to encode specific information in. 



This concludes the exposition of the general technique for designing restrictive blind 
secret-key certificate issuing protocols. Although the description has been based on the 
Guillou-Quisquatcr signature scheme, enough handles have been provided throughout 
to easily apply the technique to any of the other Fiat-Shamir type signature schemes 
that can be subjected to the technique or Ohta and Okamoto for designing ordinary 
blind signature issuing protocols. 

4. Relation to Blind Signature Issuing Protocols 

Contrary to restrictive blind issuing protocols for public-key certificates, restrictive 
blind issuing protocols for secret-key certificates are noi a particular case of "ordinary" 
blind signature issuing protocols. Consider a triple consisting of a secret key, a matching 
public key, and a certificate on the public key. The receiver in the certificate issuing 
protocol can completely blind the public key and the certificate, but not part of the 
secret key. If the certificate would be a public-key certificate, then the protocol would 
indeed be a particular case of an ordinary blind signature scheme; the public key is the 
message and the certificate is the signature on the message, and the pair is blinded. 

However, if the certificate is a secret-key certificate, it is by definition not a digital 
signature on the public key (the extreme opposite is true: pairs consisting of a public 
key and a matching secret-key certificate can be generated by anyone with exactly the 
same probability distribution); the secret key is the message, and the certificate is the 
signature on the message. But the message cannot be blinded, by the very definition 
of a restrictive blind signature issuing protocol; only the signature can. 

5. Conclusion 

A variety of privacy-protecting signature transporting mechanisms can be obtained by 
combining the new restrictive blind signature issuing protocols with an appropriate 
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showing protocol between the receiver of the issued triple and a third party. One par- 
ticularly interesting such signature transporting mechanism is an untraceable off-line 
electronic cash system, first studied by Chaum, Fiat and Naor [10]. In [l] I introduced 
the most efficient and versatile untraceable off-line cash system known to that date. As 
will be appreciated, the new issuing protocols can be combined fairly straightforwardly 
with the techniques developed in [l] for achieving prior restraint of double-spending 
with fall-back to traceability after the fact. By basing the restrictive blind secret-key 
certificate issuing protocol on the Schnorr signature scheme, the resulting cash system 
is considerably more efficient than the system in [Ij. The interested reader is referred 
to [4], and to [2] for practical optimizations. In [6] the application to Internet payments 
is discussed. 

In [5] general techniques are described for designing showing protocols that can be 
combined with restrictive blind signature issuing protocols in order to design general 
privacv-protecting signature transporting mechanisms (also known as credential mech- 
anisms, first studied by Chaum [9]). Here, again, the use of restrictive blind issumg 
protocols instead of a cut-and-choose issuing protocol enables significant improvements 
in terms of efficiency, functionality, and provability of security properties of the cre- 
dential mechanisms. Instead of using Chaum's technique of encoding different typos 
of credentials by using different signatures schemes, in the new credential mechanisms 
credentials are encoded into the blinding-invariant parts of secret keys; tins enables the 
holder of a set of credentials to prove a variety of predicates of his credentials without 
providing additional information. 

As the reader mav have noticed, we have never used the fact that S may know 
the factorization of the modulus n. The sole reason for not having done so is that ,n 
Fiat-Shamir type signature seta that are based on the Discrete Log a.sumptmn, 
SU ch as the Schnorr signature scheme, the signer also docs not have such trapdoor 
iaformation at its disposal, and our goal was to explain a generally applicable technique 
However, if we allow S to know (and make use of) the factorization of * a powerful 
technique becomes available, which enables the Issuer in the credential mechanisms 
of [51 to update credentials without needing to know their current values. Has updatmg 
technique is not possible in credential mechanisms based on cut-and-choose issmng 
protocols. 
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In sum, the demonstrated technique for designing efficient secret-key certificate is- 
suing protocols has a direct bearing on the design of efficient and versatile privacy- 
protecting credential mechanisms. 
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The Security of the Modified Issuing Protocol for Parallel Execu- 
tions 

As announced in Subsection 3.6 an argument will bo provided here for the security of 
the modified issuing protocol under parallel executions. Although the line of arguing 
presented below may seern to be very restricted, some study will reveal that most 
attacks that come to mind amount to the attack considered by the argument. 

Consider an 'algebraic" attack on the parallel version of the modified restrictive 
blind signature issuing protocol. For the sake of simplicity, we will restrict ourselves to 
two parallel executions of the issuing protocol, each with respect to a different blinding- 
invariant number; the argument can easily be generalized. Since v-th powers can always 
be multiplied in and out of the verification relation, without loss of generality we 
furthermore will leave b u out of our considerations. Raising the verification relations 
for each of the two protocol executions to a power, and multiplying the results, we 
obtain: 

The goal of the attackers is to determine a number s 0 fc. not equal modulo v to each 
of s w and s„j, and numbers i», c<, Cj and c t for which the responses r< and r, can 
be combined into a response r k such that (c fc ,r fc ) is a secret-key certificate on </*«. 
At the time the attackers have to provide a and c, to S they only have two random 
numbers a,- and a, of S at their disposal. If Conjecture 1 is true then each of c< and Cj 
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must depend on both « and a, if the attack is to have a significant success probability. 

Setting , 
c k := H{0"»^aj), r k := rj'r/, a fc := a/a/, 

the attackers must ensure that 

This can be solved for l„ ft, *) by the attackers if they can solve 
f * <i V(«Wf 1 )mod«, 

since the remaining "div v" terms can be multiplied into r fc later on. Since 1^ is a 
field, and the matrix on the left-hand side is non-singular because * s 0j mod v.. this 

leads to: . / , v , x , , \ \ 

cA = (<*/ U) (soi - sot) I fay - s«) I mod v> 

V c, J ^ (<*/ lj) fa* - *«) / fa; - *o,) / 
Knowing neither one of*, *o; because of the intractability of the Discrete Log problem, 
it seems that the attackers must determine s ok , U; such that neither of ft and e, 
depeuHs on « or So;- In other words, , ofc , Ij must be chosen in such a way that ,- 0 , 
and s oj drop out. Taking s Qk equal to 5 « or s oi modulo • would obviously work, but 
this does not meet the goal of the attackers (that is, this is legitimate behavior, not an 
attack). 

From c fc = H{g"»,a!;aj) we sec that c k depends on each of s„fc, k and I,-. Because 
«(.) is a (correlation-free) colbsion-intractable hash-function, it shoxdd be infeasible to 
determine as an "algebraic" function of **,U;. What this means is that c k/ k and 
C/ I, can be chosen independently at random by the attackers, but uot such that c k ,s 
independent of s ok : if s ok is varied then c k is implicitly varied along. 

The gist of this argument is that it seems infeasible to misuse two parallel executions 
of the issuing protocols in such a way that the unknown bhnding-invariant numbers 
so,- and s 0 ; drop out of the matrix equation. 
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1 1-8.1 Blind signature schemes ~ — 

The purpose of a blind signature is to prevent the siener R fwJ-X, • ■ 

A bhnd signature protocol requires the following components: 

1. AdigitalsignaturemechanismforsignerS. denotes the signature of B on * 

ProoeT 2 , 8 "^'^ 5 a " «^/-^, anl ft^llet^i 
Property 2 places many restrictions on the choice of S B and g. 

~ 11.118 Example {blinding function based on RSA)Lntn - «/,K».t,. \i . , 

Sa(m). as required by property 2 ' m mod n = 

□ 

Protocol II 119 presents a blind signature scheme which uses the digital stenatur* 
mechan.smandfunct.ons/andpdescribedinExamplell.118. ^ SlgnaIure 

11-119 Protocol Chaum's blind signature proloco i ~~ 

SUMMARY: sender A receives a signature of J? on a blinded message From this A con," 
pules Signature on a message m chosen a priori by A.Q < T<n-l B i^Z 
knowledge of m nor the signature associated with m, ~ Lflh " 1 " 

1. Notation. B's RSA public and private keys are (n, e) and d, respectively Aisaran 
dom secret mteger chosen by A satisfying 0 < k < n - 1 andTcdfn *) " * 

2. Protocol actions. S ( ' ' ~ l ' 

£ f^f ^ con W m- = mi* mod n and sends 

2 JT? T putes s * = {m ' )d mod " Which * «* "> A 

(O (^W^Ac.mputess^V^ which is B's signature on m. 
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